Notices by Soatok Dreamseeker (soatok@furry.engineer)

From a conversation earlier, this meme was inspired.

(Sticker used in edit from lynxvsjackalope on Twitter)

Newsweek: "Multiple Teslas set on fire in Germany"

Me, who survived hurricanes in Florida where Teslas spontaneously combusted: "Are you sure they didn't just... do that? They tend to just do that."

https://web.archive.org/web/20250314110232/https://www.newsweek.com/tesla-vehicles-set-fire-berlin-germany-elon-musk-2044692

Why was 90's era chatroom romance incompatible with polyamory?

Because the expression for love was <3

@lina @kopper @cafou @jessew @puppygirlhornypost2 I feel like this thread is going to end with a remix of "do none of you own a fucking kettle?"

EDIT (for context)

Anyone else want to @ me with stupid bullshit?

I've got the fucking block button ready.

Marketing idea:

Instead of calling olive oil "extra virgin" it is now "incel olive oil"

Really surprised there isn't a good furry blog post about Tail Recursion yet

I guess it's time to add more furry art to my latest blog post

https://news.ycombinator.com/item?id=43105421

Reviewing the Cryptography Used by Signal

Last year, I urged furries to stop using Telegram because it doesn't actually provide them with any of the privacy guarantees they think it gives them. Instead of improving Telegram's cryptography to be actually secure, the CEO started spreading misleading bullshit about Signal®. Since then, I've been flooded with people asking me about various other encrypted messaging apps…

http://soatok.blog/2025/02/18/reviewing-the-cryptography-used-by-signal/

WordPress 6.8 is due to switch their password hashing to bcrypt, and their application passwords to BLAKE2b.

Great news:

They disarmed the 72 char footgun with bcrypt in the way I recommended (HMAC, rather than just SHA2, to prevent hash shucking, and base64 to prevent NUL truncation).

https://core.trac.wordpress.org/changeset/59828

Letting me have image editing software was a mistake

I just had the dumbest shitpost idea of the year. It might be peak slacktivism.

• Compile a list of all the companies you never shop with.
• Compile a list of companies that have rolled back their DEI programs.
• For companies that are in both lists, email them insisting that you're boycotting them because of their embrace of racist, homophobic, etc. policies.
• Even if nobody changes their shopping behavior, they'll still waste time and resources trying to measure the impact of this policy change, which is a net-negative for their business.

(But also, maybe actually boycott the ones that you can.)

My job involves auditing and developing cryptographic software.

Most developers don't understand cryptography.

Most developers shouldn't ever need to understand cryptography.

Most users understand it less than developers do!

A large unwritten part of my job responsibility involves talking developers down from the ledge when they think cryptography is easy.

Once in a blue moon, I have a conversation that looks like this:

Dev: "I don't get why more people don't add end-to-end encryption! It was really easy: I broke the plaintext into 256 byte blocks and encrypted them independently with their recipient's RSA 2048-bit public key. I wrote it using BigInts in my computer science class, and it just works."

Me: "Hey that's horrifying and all but before we get into the details, how do you know which public key to use?"

Dev: "Oh, I store it in MySQL! The encryption is done in JavaScript, so I never see plaintext."

Me: [crying inside]

This contrived dialogue may have tripped alarms in your mind, even if you're not a nightmare magic math specialist.

If so, this is the same kind of "oh noooooo" I feel whenever a protocol decides which algorithm to use based entirely on potentially attacker-controlled data.

Grabbing the algorithm from a message signature? Bozo bit flipped!

Grabbing the public key from the message signature? I'm over the moon. (Session does this, even though there's an external bit of logic binding it to the user's long-term birationally equivalent X25519 public key.)

The only acceptable way to do this is:

1. Have a randomly generated Key ID that points to a specific keypair.
2. Include this Key ID in the data being authenticated.
3. To figure out the algorithm to use for a given key, consult the key (not the signature or message).

It doesn't even matter to me whether a protocol is exploitable or not, the second it fails to manage keys this way, I will never recommend it.

Do not pass go.

Do not collect $200.

At the end of 2022, I was like:

"DMs are plaintext? I should fix that."

And I still haven't even gotten to the actual part where messages would be encrypted or not, because I want to correctly tackle the hard problems around key management.

I've been rewriting drafts for a blog post since July 2023 about key management, and it's still deeply unsatisfying to me. I may never publish it at this rate.

It's really quite funny that I can write an introspective piece about not mattering and so many people respond to it with an argument.

https://soatok.blog/2024/09/09/doesnt-matter/

Maybe I'm a terrible writer if I can't be easily understood on such a simple concept.

Self-importance is an anchor. It can be useful in the proper environment, but it's dead weight otherwise.

Parasocial relationships and hero worship elevate others' importance. Narcissism elevates one's own importance. Neither of these things end well.

While I appreciate when others are trying to be kind, it does sadden me a bit when people miss the point so broadly that they insist the contrary to me.

That post wasn't me trying to fish for compliments. I would never publish something so shallow or self-serving.

If I died suddenly, there would still be furries, hackers, and furry hackers. Most of the people in either camp would be unaffected by my absence.

The same cannot be said of the overworked staff at your local conventions, and so on.

If you want a good idea of who matters, look at all the kind and creative souls that make the things you enjoy in life possible.

The artists, musicians, and so on.

But also the folks that run their own Fediverse servers so you can keep in contact with your friends (and maybe meet new ones) without needing a government or corporation's permission (or to pay them the cost of admission, for that matter).

Think about the hundreds of volunteers that make each convention possible.

Think about the people in your life who have been kind to you in some small way.

I promise you your life would be immensely worse off without them. Without me? Not so much.

And even if you're one of the few people that has materially benefitted from my blog, the idea of a persistent continuous self is an illusion anyway.

We're different people throughout our lives. Sometimes drastically.

Would you say the same about me 20 years ago?

Will you be able to say the same in 20 years, with all the unforeseeable changes?

Surely not.

I am so goddamn tired of seeing Generative AI in fucking everything

@ryanc Wait, how did that happen?